openldap-technical January 2008

openldap-technical@openldap.org

48 participants
57 discussions

log fields
by Gustavo Mendes de Carvalho 26 Feb '08

26 Feb '08

Hi there, I would like to get some documentation that can describe, in details, which fiileds there are present in ldap.log file, and the meaning of each field. I need some information about 7th field (op=33 in first line). Where can I find all codes used in this field ? Jan 10 11:50:21 ldap01 slapd[10819]: conn=1702 op=33 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 10 11:50:25 ldap01 slapd[10819]: conn=1702 op=34 SRCH base="uid=gustavo,ou=company,c=org" scope=0 deref=0 filter="(objectClass=*)" Jan 10 11:50:25 ldap01 slapd[10819]: conn=1702 op=34 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 10 11:50:26 ldap01 slapd[10819]: conn=1702 op=35 SRCH base="uid=gustavo,ou=company,c=org" scope=0 deref=0 filter="(objectClass=*)" Jan 10 11:50:26 ldap01 slapd[10819]: conn=1702 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 10 12:28:13 ldap01 slapd[10819]: conn=1702 op=36 UNBIND Jan 10 12:28:13 ldap01 slapd[10819]: conn=1702 fd=21 closed Thanks --- Gustavo e-mail: gmcarvalho(a)gmail.com

5 7

Change LDAP User's Password
by Le Trung Kien 26 Feb '08

26 Feb '08

Hi, I'm confused about ldap authentication. I'm attempting to use ldap with kerberos 5, when changing an user's password, I issused: user1]$ passwd Kerberos 5 Password: ****** New UNIX password: ****** Retype new UNIX password: ****** All things go well, however, still have a password don't change, and I don't know what this password is. And how to change it. Still that user, I can't use 'ldappasswd' user1]$ ldappasswd SASL/GSSAPI authentication started SASL username: user1(a)MYREALM.COM SASL SSF: 56 SASL installing layers New password: yPYNAgvO <--- this changes frequently Result: Internal (implementation specific) error (80) Additional info: SASL(-7): invalid parameter supplied: Error putting OTP secret I should emphasize that the user1 has two passwords, the first one can be changed with 'passwd' or 'kpasswd', the other I don't know how to access it, although this second password still works and it's can be used to login. More information: user1]$ passwd Kerberos 5 Password: <--- type a wrong password and got following (only the first password works here) Enter login(LDAP) password: <--- the second password works here New UNIX password: ****** Retype new UNIX password: ****** LDAP password information update failed: Insufficient access passwd: Permission denied Best Regards. -- Le Trung Kien.

2 7

Best method to set access permissions to third parties application with LDAP
by Benjamin Watine 01 Feb '08

01 Feb '08

Hello the list, I have to use LDAP to define access permissions for many third parties applications. So, I wonder what is the best way to organize my LDAP tree. I see two possibilities : - Set a LDAP group for each access level of each application, and create users that belongs to those groups. ex : GlobalServiceGroup | |__Application1Group | |__guestGroup | | |__user1 | | |__user2 | |__userGroup | | |__user3 | | |__user4 | |__adminGroup | |__Application2Group |__devTeamGroup | |__user1 | |__user2 | |__user3 | |__user4 |__testTeamGroup |__adminTeamGroup The problem of this solution is that I have to set a lot of groups, so my LDAP tree would became very complex to administrate. - Another way would be to define my own LDAP classes, with an attribute for each application that define the access level (guest, user, admin, etc). The problem of this solution is that I'm not anymore in the standard LDAP schema, and loose interoperability with standards LDAP clients. What is the best way to set that. Is there is another possibility than the two I mentioned before ? Thank you ! Ben

3 2

Export / import ldap database between 2.2.29 & 2.3.27
by asiani＠free.fr 01 Feb '08

01 Feb '08

Hello, My source server : openldap-clients-2.2.29-1.FC3 perl-Net-LDAP-0.3202-1.1.fc3.rf nss_ldap-220-3 openldap-devel-2.2.29-1.FC3 php-ldap-4.3.11-2.8.4.legacy smbldap-tools-0.9.1-1.1.fc3.rf openldap-2.2.29-1.FC3 openldap-servers-2.2.29-1.FC3 My destination server : openldap-2.3.27-8 openldap-devel-2.3.27-8 perl-LDAP-0.33-3.fc6 php-ldap-5.1.6-15.el5 python-ldap-2.2.0-2.1 nss_ldap-253-5.el5 openldap-servers-2.3.27-8 I export my database from source : ldapsearch -LLL -x -h localhost -D "cn=Manager,dc=myDomain,dc=com" -w password -b "dc=myDomain,dc=com" > /backups/ldap/ldap-fs4-$TODAY.ldif dn: dc=myDomain,dc=com objectClass: dcObject objectClass: organization o: myDomain dc: myDomain dn: ou=Users,dc=myDomain,dc=com objectClass: organizationalUnit ou: Users dn: ou=Groups,dc=myDomain,dc=com objectClass: organizationalUnit ou: Groups dn: ou=Computers,dc=myDomain,dc=com objectClass: organizationalUnit ou: Computers dn: cn=NextFreeUnixId,dc=myDomain,dc=com objectClass: inetOrgPerson objectClass: sambaUnixIdPool cn: NextFreeUnixId sn: NextFreeUnixId gidNumber: 1001 uidNumber: 1154 dn: uid=smbguest3,ou=Users,dc=myDomain,dc=com objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount (...) and try to add in my destination server : slapadd -l fichier.ldif The system failed with this error : str2entry: invalid value for attributeType objectClass #1 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=69) The database is working well on source server...do y have an idea ? Thank you very much ! Alain

3 3

ldap_search_ext_s: maximum no of entries
by Rakesh Yadav 31 Jan '08

31 Jan '08

Hi, In case of ldap_search_ext_s: We can pass,how many entries we want. In my case i can retrieve only 100 entries at a time due to the size limit of my buffer. But the ldap search which i am using will return 1000 entries. Is there any way through which i can retrieve 1000 entries in chunks of 100. first time i will fetch 100 entries then again next 100 entries then again next 100 entries..... ... ... In this way i will retrieve all the entries. Please tell me the way of fetching entries from LDAP. -- Thanks Rakesh Yadav

6 8

Please Help
by Umar Draz 31 Jan '08

31 Jan '08

Dear Members! I recently installed openldap and running successfully but there is some lines i saw in ldap log file. bdb_equality_candidates: (memberUid) not indexed bdb_equality_candidates: (sambaDomainName) not indexed Please help what is this and how i can fix that Kind Rgards, Umar Draz --------------------------------- Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.

1 0

OpenLDAP Log format
by Gustavo Mendes de Carvalho 31 Jan '08

31 Jan '08

Hi there, I would like to know where can I find some document describing all fields and other informations about openldap log file and replication log file (slurp and syncrepl). Thanks in advance --- Gustavo Mendes de Carvalho e-mail: gmcarvalho(a)gmail.com

1 0

loglevel - ip client in logfile
by Christophe Dumonet 31 Jan '08

31 Jan '08

Hello from france, My question is about logs and so loglevel parameter for openldap 2.0 ( yes, this is and older version...! migration is in progress...) Basically, I want my logs contains IPs clients to do some tuning because of some CPU overloads occures while we are installing a new RADIUS client for this LDAP server. So I try to change my loglevel ( as describe here http://www.zytrax.com/books/ldap/ch6/#loglevel ) and no IP appears in logfile while loglevel is set to -1 (or whatever number). Is it possible ? Is my openldap version too old ? Is there other things to do ? Thanks, any help would be appreciate ! Christophe Dumonet. -- ---------------------------------------------------- Christophe Dumonet Centre de Ressources Informatiques Institut Francais de Mecanique Avancee (IFMA) Campus des Cezeaux BP 265 63175 AUBIERE Cedex Tel : +33 - 4.73.28.80.64 Fax : +33 - 4.73.28.81.00 Mail : Christophe.Dumonet(a)ifma.fr ----------------------------------------------------

1 0

Can't contact LDAP Server
by shanmuga priya 30 Jan '08

30 Jan '08

hello all, I was following the documentation to setup openLDAP stuff - http://www.jukie.net/~bart/ldap/ldap-authentication-on-debian/<http://www.jukie.net/%7Ebart/ldap/ldap-authentication-on-debian/> I've modified the ldap.conf and slapd.conf accordingly. But when I tried for testing by doing: ldapsearch -x -W -D 'cn=admin,dc=example' 'objectClass=*' I got the following message: Can't contact LDAP Server How to overcome this problem?? -- Future is now..

4 4

Querying for olcDatabase parameters
by Josh Miller 30 Jan '08

30 Jan '08

Good morning, What is the trick to querying cn=config for olcDatabase entries? I am running OpenLDAP 2.4.7 with a full directory, converted from slapd.conf to slapd.d and everything seems to be running just fine. I can query the directory and I get back all of the entries that I would expect to find. I have renamed my slapd.conf file to ensure that I am not relying upon it, yet I don't see any olcDatabase entries when I query cn=config: [:user@host:] ldapsearch -x -H ldap://localhost/ -D "cn=config" -b 'cn=config' -W cn=config -LLL Enter LDAP Password: dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: /etc/openldap/slapd.conf olcConfigDir: /etc/openldap/slapd.d olcArgsFile: /var/run/openldap/run/slapd.args olcAttributeOptions: lang- olcAuthzPolicy: none olcConcurrency: 0 olcConnMaxPending: 100 olcConnMaxPendingAuth: 1000 olcGentleHUP: FALSE olcIdleTimeout: 0 olcIndexSubstrIfMaxLen: 4 olcIndexSubstrIfMinLen: 2 olcIndexSubstrAnyLen: 4 olcIndexSubstrAnyStep: 2 olcIndexIntLen: 4 olcLocalSSF: 71 olcLogLevel: 256 olcPidFile: /var/run/openldap/run/slapd.pid olcReadOnly: FALSE olcSaslSecProps: noplain,noanonymous olcSecurity: ssf=128 olcSecurity: tls=128 olcSecurity: update_ssf=128 olcSecurity: update_tls=128 olcSecurity: simple_bind=128 olcSockbufMaxIncoming: 262143 olcSockbufMaxIncomingAuth: 16777215 olcThreads: 16 olcTLSCACertificateFile: /usr/share/ssl/certs/posca3.crt olcTLSCertificateFile: /etc/pki/tls/certs/host.crt olcTLSCertificateKeyFile: /etc/pki/tls/certs/host.key olcTLSCipherSuite: HIGH:MEDIUM:+SSLv2:RSA olcTLSCRLCheck: none olcTLSVerifyClient: never olcToolThreads: 1 [:user@host:] ll /etc/openldap/slapd.d/cn\=config total 64 -rw------- 1 ldap ldap 398 Jan 10 13:22 cn=module{0}.ldif drwxr-x--- 2 ldap ldap 4096 Jan 10 13:22 cn=schema -rw------- 1 ldap ldap 38702 Jan 10 13:22 cn=schema.ldif -rw------- 1 ldap ldap 1163 Jan 10 13:22 olcDatabase={0}config.ldif drwxr-x--- 2 ldap ldap 4096 Jan 10 13:22 olcDatabase={1}bdb -rw------- 1 ldap ldap 2827 Jan 10 13:22 olcDatabase={1}bdb.ldif -rw------- 1 ldap ldap 1236 Jan 10 13:22 olcDatabase={-1}frontend.ldif TIA, -- Joshua M. Miller - RHCE,VCP

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2008